Fix #21: High-severity fixes (H-01 through H-06)

H-01: Egypt document uploads - added path traversal prevention (basename),
       replaced HTTP_HOST with APP_DOMAIN env var
H-02: 7 remaining hardcoded /home/siro-api/ paths replaced with env vars
       (ENV_FILE_PATH, INTERNAL_SOCKET_KEY_PATH, WEBHOOK_SECRET_KEY_PATH)
H-03: serviceapp/updateDriver.php - added ownership check (user_id must match
       driverID or user must be admin); non-admins blocked from changing
       password/status/email/phone
H-04: ggg.php - replaced weak client-supplied phone auth with proper admin
       JWT authentication via JwtService
H-05: Static IV fallback in encrypt_decrypt.php already documented as legacy
H-06: Wallet shared password noted as design limitation (mitigated by
       fingerprint verification + short token TTL)
- Also fixed functions.php log message (removed hardcoded path)

backend/webhook_sms/webhook.php

@@ -3,7 +3,14 @@ header('Content-Type: application/json');
 
 // !! تأكد أن هذا المفتاح يطابق المفتاح في تطبيق الأندرويد !!
 //define('SECRET_KEY', 'YOUR_SUPER_SECRET_KEY_123__');
-$secretKey = trim(file_get_contents('/home/siroapp/.secret_key'));
+$secretKeyPath = getenv('WEBHOOK_SECRET_KEY_PATH');
+$secretKey = '';
+if ($secretKeyPath && file_exists($secretKeyPath)) {
+    $secretKey = trim(file_get_contents($secretKeyPath));
+}
+if (empty($secretKey)) {
+    $secretKey = getenv('WEBHOOK_SECRET_KEY') ?: '';
+}
 
 // --- 1. التحقق من صحة الطلب ---
 $authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? '';